Art Unit: 2135 

DETAILED ACTION 

1. Claims 1, 3, 5-8, 10, 12-14 are pending. 

2. A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has 
been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 11/14/2007 
has been entered. 

EXAMINER'S AMENDMENT 

1. An examiner's amendment to the record appears below. Should the changes 
and/or additions be unacceptable to applicant, an amendment may be filed as provided 
by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted 
no later than the payment of the issue fee. 

Authorization for this examiner's amendment was given in a telephone interview 
with Rupak Nag (612) 252-3335 on 2/28/2008. 

The application has been amended as follows: 
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1. (currently amended) In a distributed network having a number of server 
computers and associated client devices, method of isolating infected client devices from 
uninfected client devices and of inoculating the infected devices, comprising: 

correlating network related virus infection reports of virus attacks; 

when a specific number of reports have been correlated, determining if a virus 
outbreak has occurred based on the correlated information wherein an outbreak has 
occurred when the number of occurrences of a specified virus has surpassed a threshold; 

isolating infected client devices from uninfected client devices when the virus 
outbreak is confirmed; 

copying by a traffic controller substantially all data packets included in the 
network traffic: and forwarding the copied data packets to a virus analyzer unit: 

a controller signaling a virus monitor to switch to inline mode where all data 
packets are checked for the virus and related viruses without copying of the data 
packets; 

monitoring all data packets in the network for the virus; 
identifying the virus; 

blocking only packets infected by the particular virus; 
creating an anti-virus agent, wherein creating an anti-virus agent further 
includes: 

parsing the virus into 1) a detection module that identifies a selected one of 
the client devices as a target client device, 2) an infection module that causes the virus to 
infect the target client device not infected by the selected virus, and 3) a viral code 
payload module that infects the target client device; 
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analyzing the infection module to determine the method of infection and 
the anti-viral payload module to determine the deleterious effects; 

modifying the infection module to infect client devices already infected by 
the virus; 

incorporating the anti-virus into the payload module that acts to prevent 
further infection by the virus; and 

forming an anti-computer virus agent by combining the detection module, 
the modified infection module, and the modified viral payload module. 

3. (currently amended) A method as recited in claim [[2]] 1, further comprising: 
forwarding to a virus analyzer unit coupled to [[the]] a network computer virus 

sensor only those data packets deemed to be infected by the identified computer virus or 
computer worm. 

4. (cancelled). 

5. (currently amended) A method as recited in claim [[4]] 3, comprising: forwarding 
the copied data packets to a packet protocol determinator; and determining the packet 
protocol of the copied data packet. 

8. (currently amended) In a distributed network having a number of server 
computers and associated client devices, computer program product for isolating 
infected client devices from uninfected client devices and of inoculating the infected 
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devices embodied in a computer readable storage medium for storing the following 
computer code , comprising: 

computer code for correlating network related virus infection reports of virus 
attacks; 

when a specific number of reports have been correlated, computer code for 
determining if a virus outbreak has occurred based on the correlated information 
wherein an outbreak has occurred when the number of occurrences of a specified virus 
has surpassed a threshold; 

computer code for isolating infected client devices from uninfected client devices 
when the virus outbreak is confirmed; 

computer code copying by a traffic controller substantially all data packets 
included in the network traffic: and forwarding the copied data packets to a virus 
analyzer unit: 

computer code controlling a controller to signaling a virus monitor to switch to 
inline mode where all data packets are checked for the virus and related viruses without 
copying of the data packets; 

computer code for monitoring all data packets in the network for the virus; 

computer code for identifying the virus; 

computer code for blocking only packets infected by the particular virus; 

computer code for creating an anti-virus agent, wherein creating an anti-virus 
agent further includes: 

parsing the virus into 1) a detection module that identifies a selected one of 
the client devices as a target client device, 2) an infection module that causes the virus to 
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infect the target client device not infected by the selected virus, and 3) a viral code 
payload module that infects the target client device; 

analyzing the infection module to determine the method of infection and 
the anti-viral payload module to determine the deleterious effects; 

modifying the infection module to infect client devices already infected by 

the virus; 

incorporating the anti-virus into the payload module that acts to prevent 
further infection by the virus; and 

forming an anti-computer virus agent by combining the detection module, 
the modified infection module, and the modified viral payload module. 
computer readable medium for storing the code. 

10. (currently amended) Computer program product as recited in Claim [[9]] 8, 
further comprising: 

computer code for forwarding to a virus analyzer unit coupled to [[the]] a 
network computer virus sensor only those data packets deemed to be infected by the 
identified computer virus or computer worm. 

11. (cancelled). 

12. (currently amended) Computer program product as recited in claim [[11]] 10, 
comprising: computer code for forwarding the copied data packets to a packet protocol 
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determinated-; and computer code for determining the packet protocol of the copied data 
packet. 

13. (currently amended) Computer program product as recited in claim 12, further 
comprising: computer code fer receiving at a trash collector those copied data packets 
determined to be of a protocol not likely to be infected by the detected computer virus or 
computer worm; and computer code for receiving and analyzing those copied data 
packets determined to be of a protocol likely to be infected by the detected computer 
virus or computer worm at a filescan unit. 

14. (currently amended) Computer program product as recited in claim 13, further 
comprising: computer code for determining by a virus/worm analyzer unit if those 
copied data packets received at the filescan unit are infected by the detected computer 
virus or computer worm; computer code for forwarding those packets determined not to 
be infected to the trash collector; computer code for analyzing the infected copied data 
packets; and computer code for generating a virus report based upon the analysis. 
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Allowable Subject Matter 

1. Claims 1, 3, 5-8, 10, 12-14 are allowed. 

2. The following is an examiner's statement of reasons for allowance: The prior art 
teaches the copying of substantially all data packets in the network traffic prior to 
forwarding to virus analyzer, but fails to teach parsing a virus into 1) a detection module 
that identifies a selected one of the client devices as a target client device, 2) an infection 
module that causes the virus to infect the target client device not infected by the selected 
virus, and 3) a viral code payload module that infects the targeted client device. The 
prior art further fails to teach modifying the infection module to infect client devices 
already infected by the virus and incorporating the anti-virus into the payload module 
that acts to prevent further infection by the virus. 

Any comments considered necessary by applicant must be submitted no later 
than the payment of the issue fee and, to avoid processing delays, should preferably 
accompany the issue fee. Such submissions should be clearly labeled "Comments on 
Statement of Reasons for Allowance." 
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Conclusion 

The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

• US 6,901,519 - E-mail virus protection. 

• US 5,440,723 - Automatic Immune System. 

• US 5,511,163 - Virus Signature Recognition. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to RANDAL D. MORAN whose telephone number is 
(571)270-1255. The examiner can normally be reached on M-F: 7:00 - 4:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on 571-272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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Supervisory Patent Examiner, Art Unit 2135 



